From adeb5606a344e34d5b6db57bcb43416a2bf46ba7 Mon Sep 17 00:00:00 2001
From: Kath <55346310+Kathund@users.noreply.github.com>
Date: Mon, 20 Nov 2023 12:23:29 +0800
Subject: [PATCH] fix(codeQL): Patched code

---
 src/endpoints/file.ts | 8 ++++++--
 src/endpoints/save.ts | 4 ++++
 2 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/src/endpoints/file.ts b/src/endpoints/file.ts
index 85ce05d..619695a 100644
--- a/src/endpoints/file.ts
+++ b/src/endpoints/file.ts
@@ -1,14 +1,18 @@
 import { Application, Request, Response } from "express";
 import { apiMessage, errorMessage } from "../logger";
 import { existsSync } from "fs";
-import { join } from "path";
+import { resolve } from "path";
 
 export default (app: Application) => {
   app.get("/:name", async (req: Request, res: Response) => {
     try {
       const fileName = req.params.name;
       apiMessage(req.path, `User is trying to get a file - ${fileName}`);
-      const filePath = join(__dirname, "../", "files", fileName);
+      const fileNamePattern = /^[a-zA-Z0-9_-]+$/;
+      if (!fileNamePattern.test(fileName)) {
+        return res.status(400).json({ error: "Invalid file name" });
+      }
+      const filePath = resolve(__dirname, "../", "files", fileName);
       if (!existsSync(filePath)) {
         errorMessage(`File ${fileName} not found`);
         return res
diff --git a/src/endpoints/save.ts b/src/endpoints/save.ts
index c855d8b..75e6fd0 100644
--- a/src/endpoints/save.ts
+++ b/src/endpoints/save.ts
@@ -26,6 +26,10 @@ export default (app: Application) => {
       }
 
       const fileName = req.params.name;
+      const fileNamePattern = /^[a-zA-Z0-9_-]+$/;
+      if (!fileNamePattern.test(fileName)) {
+        return res.status(400).json({ error: "Invalid file name" });
+      }
       const filePath = join(__dirname, "../", "files", fileName);
       if (existsSync(filePath)) {
         errorMessage(`File ${fileName} already exists`);